Skip to content

yarn policies set-version with a GITHUB_TOKEN issues a deprecation notice email from GitHub #8227

New issue
New issue
Open
Open
yarn policies set-version with a GITHUB_TOKEN issues a deprecation notice email from GitHub#8227
@pixelastic

Description

@pixelastic
pixelastic
opened on Jul 10, 2020

Bug description

When I run GITHUB_TOKEN=XXXX yarn policies set-version to commit the latest yarn version inside my repo everything works correctly. Then, some time later, I will receive an email from GitHub similar to this (personal info removed):

Hi @pixelastic,

On June 25th, 2020 at 13:49 (UTC) your personal access token (XXXXXX) using yarn/1.21.1 npm/? node/v12.12.0 linux x64 was used as part of a query parameter to access an endpoint through the GitHub API:

https://api.github.com/repositories/49970642/releases

Please use the Authorization HTTP header instead, as using the access_token query parameter is deprecated. If this token is being used by an app you don't have control over, be aware that it may stop working as a result of this deprecation.

Depending on your API usage, we'll be sending you this email reminder on a monthly basis for each token and User-Agent used in API calls made on your behalf.
Just one URL that was accessed with a token and User-Agent combination will be listed in the email reminder, not all.

Visit https://developer.github.com/changes/2020-02-10-deprecating-auth-through-query-param for more information about suggested workarounds and removal dates.

Thanks,
The GitHub Team

When a GITHUB_TOKEN env variable is found, yarn uses it to do an authenticated call to the GitHub API (to bypass any rate limit as implemented here #6912).

But GitHub is deprecating passing the token as a query parameter; it should now be passed as a header instead, so this call triggers a warning that in turn sends an email.

Command

GITHUB_TOKEN=XXXX yarn policies set-version

What is the current behavior?
Local yarn version is correctly installed. No warning is displayed in the CLI interface. Everything seems to work correctly.

But a strange email will soon appear in one's inbox, and it can be confusing understanding where it is coming from. More importantly, the feature will stop working when GitHub completely stops accepting the token this way.

What is the expected behavior?
No deprecation notice email should be received. yarn should pass the token through a header instead of a query string.

Steps to Reproduce

  1. Run GITHUB_TOKEN=XXX yarn policies set-version in any repo (with a valid GITHUB_TOKEN)
  2. Wait (from a few minutes to a couple hours) for the email to arrive

Environment

  • Node Version: v12.12.0
  • Yarn v1 Version: 1.21.1
  • OS and version: Ubuntu 18.04.4 LTS

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions